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Abstract. Analysis of cryptographic protocols in a symbolic model is 
relative to a deduction system that models the possible actions of an 
attacker regarding an execution of this protocol. We present in this pa- 
per a transformation algorithm for such deduction systems provided the 
equational theory has the finite variant property, the termination of this 
transformation entails the decidability of the ground reachability prob- 
lems. We prove that it is necessary to add one other condition to obtain 
the decidability of non-ground problems, and provide one new such cri- 
terion. 



1 Introduction 

Cryptographic protocols are programs designed to ensure secure electronic com- 
munications between participants using an insecure networks. Unfortunately, the 
existence of cryptographic primitives such as encryption and digital signature is 
not sufficient to ensure security and several attacks were found on established 
protocols [16,1]. The most relevant example is the bug of the Needham-Schroeder 
protocol found by Lowe [24] using a model-checking tool. It took 17 years since 
the protocol was published to find the attack, a so-called man-in-the-middle at- 
tack. This situation leads to the development of tools and decision procedures 
for the formal verification of security protocols. There are several approaches 
to modelling cryptographic protocols and analysing their security properties: 
reachability analysis (e.g.: NRL [28]), model checking (FDR [25,26], Mur v [30]), 
modal logic and deduction [10], process calculi like the spi-calculus [2], so-called 
cryptographic proofs ([3]) and others. Here, we use yet another technique, based 
on the resolution of reachability problems. 

Early works on verification of cryptographic protocols studied the standard 
Dolev-Yao intruder model [32] and the perfect cryptography [21] which states 
that it is impossible to obtain any information about an encrypted message with- 
out knowing the exact key necessary to decrypt this message. Unfortunately, this 
perfect cryptography assumption has proven too idealistic: there are protocols 
which can be proven secure under perfect cryptography assumption, but which 
are in reality insecure since an attacker can use properties of the cryptographic 
primitives in combinaison with the protocol rules in order to attack protocol. 



These properties (so-called algebraic properties) are typically expressed as equa- 
tional theories. An overview on algebraic properties of well-known cryptographic 
primitives can be found in [19]. In this paper, we study the class of equational 
theories represented by a finite convergent rewrite system and having the finite 
variant property modulo the empty theory [18]. 

Another point of interest is that an intruder is modelled by a deduction 
system representing the possible inferences it can make on the messages it knows. 
A ground reachability problem for a given deduction system consists in giving 
a proof using the permitted deductions of a fact represented by a ground term 
t from a set of known facts represented by a finite set of terms E. General 
reachability problems are generalisation of the problem in which the goal t has 
non variables, and the goal is to find a ground substitution a of these variables 
such that the instance ta is provable from a finite set of ground terms E. This 
generalisation consists in providing intermediate steps to solve. 

Proof strategy. In [17], H. Comon-Lundh proposes a two-steps strategy to solve 
general reachability problems, i.e. first to solve the ground reachability problems 
by invoking some locality argument, and then to reduce general reachability 
problems to ground ones. The method described in this paper roughly follows 
this line. We employ the finite variant property to reduce reachability problems 
modulo an equational theory to reachability problems modulo the empty the- 
ory. We then partially compute a transitive closure of the possible deductions. 
We prove that the termination of this computation implies the decidability of 
the ground reachability problems. We conjecture that the overall construction 
amounts to proving that the deduction system is F- local [9]. We then give a 
new criterion that permits us to reduce general reachability problems to ground 
reachability problems. This criterion is based on counting the number of vari- 
ables in a reachability problem before and after a deduction is guessed, and is a 
generalisation of the one employed for the specific case of the Dolev-Yao intruder 
model. The intuition behind this criterion is that a deduction rule has to provide 
more relations between existing fact than it introduces new unknown. We give 
an example showing that such an additional criterion is needed, in the sense 
that there exists deduction systems on which the saturation algorithm termi- 
nates, but for which the general reachability problems are undecidable. Another 
contribution of this paper is a decidability result to the ground reachability prob- 
lems for the theory of blind signature [23] using the initial definition of subterm 
introduced in [5,8], a similar result was given in [4] using an extended definition 
of subterm. In addition we give a decidability result to the general reachability 
problems for a class of subterm convergent equational theories, while a more 
general result was given in [8] , the proof given in this paper for our special case 
is much shorter. 

Related works. Several decidability results have been obtained for cryptographic 
protocols in a similar setting [6,29,7]. These results have been extended to handle 
algebraic properties of cryptographic primitives [12,13,11,4]. In [5], a decidability 
result was given to the ground reachability problems in the case of subterm 



convergent equational theories. This result was extended in [4] and a decidability 
result to the ground reachability problems in the case of locally stable AC- 
convergent equational theories was given. Moreover, again in [4], a decidability 
result was given to the ground reachability problems for the theory of blind 
signature [23] while this theory was not included in [5] . To obtain a decidability 
result for the theory of blind signature, Abadi and Cortier [4] use a new extended 
definition of subterm. The result obtained in [5] was extended in [8] in different 
way than in [4] and a decidability result was obtained to the general reachability 
problem for the class of subterm convergent equational theory. The first result 
of our paper is a decidability result to the ground reachability problems for 
a class of equational theories which includes the class studied in [5]. We note 
that the class studied in [4] is incomparable with ours and we note also that 
the proof used in [4] to decide the ground reachability problems for the theory 
of blind signature is different from the ours. Another result of this paper is a 
decidability result to the general reachability problem for a class of equational 
theories under some conditions on the deduction systems and the class studied 
in [8] is incomparable with ours. In [9], a decidability result was given to the 
general reachability problems under some syntactic conditions on the intruder 
deduction rules, this result is incomparable with ours. 

2 Preliminaries 

We now introduce some notations and basic definitions for terms, equational the- 
ories and term rewriting systems (the reader may refer to [20] for more details), 
and then proceed with the definition of the so-called intruder constraints. 

2.1 Terms 

We assume given a signature Q, an infinite set of variables X and an infinite set 
of free constants C. The set of terms built with Q and X is denoted T(G, X) and 
its subset of ground terms (terms without variables) T(Q). We denote Var(t) 
the set of variables occurring in a term t 6 T(Q,X), |Var(t)| the number of 
elements in the set |Var(t)| that is the number of distinct variables occurring 
in t. Sub(t) the set of subterms of t and SSub(t) the set of strict subtcrms of 
t. These notations are extended as expected to sets of terms. We denote t[s] a 
term t that admits s as subterm and t[s <— s'] the term t in which s is replaced 
Toys'. 

A substitution a is an involutive mapping from X to T(Q, X) such that 
Supp(er) = {x | cr(x) ^ x}, the support of er, is a finite set. The application of a 
substitution a to a term t (resp. a set of terms E) is denoted ta (resp. Ea). A 
substitution a is ground w.r.t. Q if the image of Supp(cr) is included in T{G). 

We recall in the following the definition of reduction order: 

Definition 1. Let Q be a signature and X be an infinite set of variables. A strict 
order >~ on T{Q, X) is called a rewrite order iff it is 



1. compatible with Q -junction symbols: for all s, s' G T((J, X) and all f G Q 
with arity n > 0, t\ >- ti implies 

f(tl, . . . , ti-li s i U+i, ■ ■ ■ , t n ) >- f(t±, . . . , U—i, s , tt+l 5 ■• ■ i tn) 

for all i, 1 < i < n, and aZZ ii, . . . , ii+i, ■ • • >^n G T((?, 

closed under substitutions: for all s, s' G T((7, A") and substitutions 

a, s >~ s' implies <x(s) >- c(s'). 

reduction order is a well-founded rewrite order. 

We consider a reduction order >- over T(Q, X) total over ground terms. We 
denote ^ the relation between terms such that t\ >z ti iff t\ >~ t% or t\ = t2 for 
t u h g T(Q, X). 

A rewriting system TZ is a finite set of couples (i, r) G T(Q, X) 2 , where each 
couple is called a rewriting rule and is denoted Z — > r. The rewriting relation 
between terms is defined by t — i' if there exists Z — > r G and a 
substitution u such that Icr = s and rcr = s', t = t[s] and t' = t[s <— s']. A 
rewriting system is terminating if for all terms t there is no infinite sequence 
of rewriting starting from t. It is convergent if it has moreover the confluence 
property: every sequence of rewriting ends in the same term denoted (i)!^, or 
simply (t)l if TZ is clear from the context. We say that a term t is in normal 
form if t = (t)l-n. A substitution a is in normal form if for all x G Supp(cr), 
the term c(x) is in normal form. Given a substitution a, we denote (cr)| K the 
substitution such that, for all x G Supp(cr) we have {xa)l n = x{a)[ n . 

An equational theory Ti is a congruence relation on terms in T(C/, X). We 
denote t =u f the fact that the term t and t' are identified by Ti. We say that 
Ti is generated by a convergent rewriting system TZ if t =n t' iff (t)!^ = 

2.2 Unification systems 

Definition 2. (Unification systems) Let Ti be an equational theory. A Ti- 
unification system S is a finite set of pairs of terms in T(G, X) denoted by 

\ui = T-t v i f ■ It is satisfied by a substitution a, and we note a |= nS , if 

I. J ie{l,...,n} 

for all i G {1, . . . , n} we have uio —n V{0~ . In this case we call a a solution or a 
unifier of S . 

When Ti is generated by a convergent rewriting system TZ, considering a 
bottom-up normalisation shows that if a is a solution of a 7i-unification sys- 
tem, then (cr)| is also a solution of the same unification system. A top-down 
normalisation on solutions also demonstrates that we can assume that terms in 
a unification system are in normal form. Accordingly we will consider in this 
paper only solutions in normal form of unification systems in normal form. A 
unifier a is more general than a unifier r if there exists a substitution 6 such 
that cr6 = r. A complete set of unifiers of a 7i-unification system S is a set £ of 
unifiers of S such that, for any unifier r of S, there exists a G S which is more 



general than r. The unifier t is a most general unifier of S if the substitution 
9 in the preceding equation is a variable renaming. We denote mgu(S) the set 
of most general unifiers modulo TL of a unification system S. In the context of 
unification modulo an equational theory, standard (or syntactic) unification will 
also be called unification in the empty theory. In this case, it is well-known that 
there exists a unique most general unifier of a set of equations. This unifier is 



Finite Variant Property. We will abusively write that an equational theory TL 
has the finite variant property if the couple (TL, 0) has the finite variant property 
in the notation of [18]. Let us now formally state the definition of this property 
in this case, simplified using the Lemma 3 and the Theorem 1 of [18]. 

Definition 3. (Finite Variant Property) A theory TL has the finite variant prop- 
erty if, for any term t, one can compute a finite set of substitutions 9\, . . . , 9 n 
( the variant substitutions ) such that, for any substitution a in normal form there 
exists i G {1, . . . , n} and a substitution a' in normal form such that a = 9{g' 
and (to~)l = {t9i){a' . The terms (t9i)[ are called the variants oft. 

Examples of equational theories having the finite variant property are those 
defined by a convergent rewriting system and such that either basic narrow- 
ing [22] terminates or the rewriting system is optimally reducing [31]. 

The finite variant property ensures that it is possible to compute a com- 
plete set of most general unifiers between two terms t and t' . Indeed, it suf- 
fices to compute for these two terms the respective sets of variant substitutions 
rra }> {0j}j e r 1 n y an( i to (try to) unify in the empty theory every pair 



In the rest of this paper we will consider equational theories TL having the 
finite variant property and generated by a convergent rewriting system 1Z. 



2.3 Deduction systems 

The notions that we give here have been defined in [15]. These definitions have 
since been generalised to consider a wider class of intruder deduction and con- 
straint systems [14]. Although this general class encompasses all deduction and 
constraint systems given in this paper, we have preferred to give the simpler 
definitions from [15] which are sufficient for stating our problem. We will refer, 
without further justifications, to the model of [14] as extended deduction sys- 
tems. The constraint systems considered and defined here correspond to sym- 
bolic derivations [14] in which a most general unifier of the unification system 
has been applied on the output messages (for Def. 6) and on input variables (for 
the extended constraint systems). 

In the context of a security protocol (see e.g. [28] for a brief overview), we 
model messages as ground terms and intruder deduction rules as rewriting rules 




of terms [t9. t )l = {t'9'^l. 



on sets of messages representing the knowledge of an intruder. The intruder 
derives new messages from a given (finite) set of messages by applying deduction 
rules. Since we assume some equational axioms TL are satisfied by the function 
symbols in the signature, all these derivations have to be considered modulo the 
equational theory TL generated by 1Z. 

Definition 4. A deduction system X is given by a triple (Q, £, TL) where Q is a 
signature, C is a set of deduction rules I -» r, where I a set of terms in T(C?, X) 
and r a term in T(C?, X), and TL is an eguational theory. 

Each rule I -» r in C defines a deduction relation -^i^ r between finite sets 
of terms. Given two finite sets of terms E and F we have E -^i^» r F if and 
only if there exits a substitution a, such that la ~n I', ra r', I' C E and 
F = E U {r 1 }. We denote -»x the union of the relations -»;_» r for alH -» r in L 
and by -^>* x the transitive closure of Note that, given sets of terms E, E' , 
F and F' such that E ~u E' and F =u F' by definition we have E -»z F iff 
E' -»2 F' ■ We simply denote by -» the relation -»i when there is no ambiguity 
about X. 

We recall that X is the extension of the reduction order >~ defined over 

T(g,x). 

Definition 5. A deduction rule I -» r is a decreasing rule if there is a term 
s G I such that s y r and it is increasing otherwise. 

From now, if C is the set of deduction rules, we denote by Ci nc the set of 
increasing rules and by Cdec the set of decreasing rules. By definition of increasing 
and decreasing rules, we have C = Ci„ c U Cdec- 

A derivation D of length n, n > 0, is a sequence of steps of the form Eq -»j 

Eq, t\ -»x • • • -»i E n with finite sets of terms Eq, . . . E n , and terms t\, . . . ,t n , 

such that Ei = E.^i U {t,} for every i e {1, . . . , n}. The term t n is called the 

goal of the derivation. We let trace(D) be the set of terms constructed during 

i 

the derivation D, tracc(-D) = Eo U {ti, . . . , t n }. Wc define E to be equal to the 

x 

set of terms that can be deduced from E, E = {t s.t. E ... X E and t £ E'}. 
If there is no ambiguity on the deduction system 1 we write E instead of E % ' . 

2.4 Constraint systems 

We now introduce the constraint systems to be solved for checking protocols. It is 
presented in [15] how these constraint systems permit to express the reachability 
of a state in a protocol execution. 

Definition 6. (X-Constraint systems) LetX — (Q,C,TL) be a deduction system. 
An 2"-constraint system C is denoted ({Ei t> i>j)j£{i,. ..,«}, S) and is defined by a 
sequence of pairs (Ei,Vi) ie ^i n \ with v\ E X, Ei C T(C?, X), Ei C Ei + \ and 
Var(Bj) C {vi, . . . , Vi-x} for i £ {1, ... ,n} 7 and by an TL-unification system S. 

An T-Constraint system C is satisfied by a substitution a if for all i E 
{1, . . . , n} we have Via E EiU and if a S. We denote that a substitution a 
satisfies a constraint system C by a \=j C. 



Constraint systems are denoted by C and decorations thereof. Note that if a 
substitution a is a solution of a constraint system C, by definition of deduction 
rules and unification systems the substitution (p)\ is also a solution of C. In 
the context of cryptographic protocols the inclusion Ei_\ C Ei means that the 
knowledge of an intruder does not decrease as the protocol progresses: after 
receiving a message a honest agent will respond to it, this response can then be 
added to the knowledge of the intruder who listens to all communications. The 
condition on variables stems from the fact that a message sent at step i must be 
built from previously received messages recorded in the variables Vj,j < i, and 
from the initial knowledge (set of ground terms) of the honest agents. Our goal 
is to solve the following decision problem. 

X-Reachability Problem 

Input: An X-constraint system C. 

Output: Sat iff there exists a substitution a such that a \=x C. 



3 Saturation 

In the rest of this paper, we suppose that Tq = (Q, Co, TL) is an initial deduction 
system. We assume that Co is the union of rules x±, . . . , x n -» f(x\, . . . , x n ) for 
some function symbols f 6 Q. 

Let 7i be an equational theory having the finite variant property and gener- 
ated by a convergent rewriting system 1Z. The saturation of the set of deduction 
rules Co defined modulo the equational theory 7i is the output of the application 
of the saturation algorithm given by the following two steps: 

— Step 1: Anticipating the application of rules of Co on ground terms in 
normal form, we define the set C of rules "in normal form" : 

C= (J x\6, . . . ,x n 9 -» (f(xi, . . . ,x n )0)i\ 

xi,...,x n -» /(xi, . . . , x n ) e Co 
9 variant subsitution of f(x\, . . . , x n ) 

This union is over finite sets thanks to the finitencss of Co and to the finite 
variant property. 

— Step 2: Start with C — C, repeat the rule given in Figure 1 until no new 
rule can be added. 

h -» n 6 C' inc ; h,s -» r 2 € £' s £ X 

C <-£'U{(l u h-»ra)(T} <r = mgu»(ri,8) 

Fig. 1. closure rule. 



We define two new deduction systems, corresponding each to one step of the 
saturation algorithm, T = (Q, C, 0) and I 1 = (Q, £ , 0). Since in the first step we 
consider all possible variants of all possible deduction rules, we have: 



Lemma 1. Let E and F be two sets of ground terms in normal form we have: 



Proof. Let E and F be two sets of ground terms in normal form and assume 
there is a rule x\, . . . , x n -» f(xi, . . . , x n ) £ Co such that E -» Xl ,...,x n ^f{x 1 ,...,x 7l ) 
F. By definition there exists a ground substitution a in normal form such that 
{x\, . . . ,x n )o~ C E and F = E U {(f(xi, . . . ,x n )a)i}. Due to the finite variant 
property, there exists a variant substitution 9 of f(x\, . . . , x n ) and a ground 
normal substitution a' such that (f(xi, ■ ■ ■ , x n )o~)l = (f(xi, . . . , X n )6)lo~' and 
a = 9a' . The rule Img{9) -» (f(xi, . . . , x n )9){ was added to C by Step 1 this 
implies that E —»j F. To prove the converse, notice that if (x±, . . . , x n )8 —» 
(f(xi, . . . , x n )9)l can be applied with the normal ground substitution a' on 
E, then the rule x\, . . . ,x n -» f{x±, . . . ,x n ) can be applied with the ground 
substitution a = {9a')l on E. □ 

Also, the computation of Step. 2 is correct and complete in the following 
sense. 

Lemma 2. For any set of ground terms E in normal form and any ground term 

i x' 

t in normal form we have: t 6 E if and only if t £ E . 

Proof. The direct implication is trivial since CJ is initialised with C. Let us 
prove the converse implication. Assume that there exists a I'-derivation starting 
from E of goal t. Let us define an arbitrary total order on the rules of C, and 
we extend this order to rules of £ \ C as follows: rules of C are smaller than the 
rules of £' \ C and rules of CJ \ C are ordered according to the order of their 
construction during the saturation. Let M(-D) be the multiset of rules applied in 



D. Let f2(E, t) = < D | D : E F 3 t >. By construction, the ordering on rules 



is total and well-founded, and thus the prc-ordcring on derivations in f2(E, t) 

x' 

is also total and well-founded. Since t £ E , we have fl(E 1 t) ^ 0, and thus 
M(f2(E, t)) has a minimum element which is reached. Let I? be a derivation in 
£2(E,t) having the minimum M(_D), and let us prove that D employs only rules 
in C By contradiction, assume that D uses a rule !-»re£'\£ applied with 
a ground substitution a on a set F. Since I -» r ^ it has been constructed 
by closure rule. Thus, there exists two rules l\ -» r% £ C' inc and I2 -» r 2 £ C , a 
term s £ I2 \ X such that s and r\ are unifiable, a = mgu(s, ri), I = (ii, Z2 \ s)a 
and r = r2a. Replacing the application of the rule I -» r by two steps applying 
first the rule l\ -» r\ and then I2 — » r2 yields another derivation D' . Since I ^> r 
must have an order bigger than the order of l± r% and I2 -» ^2 and the last 
two rules arc in £', we deduce that D' £ Q(E, t) and M(D') < M(D) which 
contradicts the minimality of M(D). □ 



E^i F iffE^> x F. 



Let E (resp. t) be a set of terms (resp. a term) in normal form and let D 
be a derivation starting from E of goal t, D : E = Eq -» E^,ti 
E n -2,t n —i -» E n —i,t. The derivation D is well-formed if for all rules Z -» r 
applied with substitution cr, for all u G Z \ X we have either wer 6 E or iter was 
deduced by a former decreasing rule. The following lemma is a consequence of 
the computation of the closure. Notice that we do not assume here, nor afterward 
unless stated, that the saturation terminates. 

Lemma 3. Let E (resp. t) be a set of terms (resp. a term) in normal form such 
X' 

that t G E . For all I' -derivations D starting from E of goal t we have either 
D is well-formed or there is another X' -derivation D' starting from E of goal t 
such that tracc(D) = trace(-D') and D' is well-formed. 

X' 

Proof. We have t G E implies that the set f2(E,t) of X'-derivations starting 
from E of goal t is not empty. Let D G Q(E, t), D : E = E -» E\ -» . . . -» 
E n -i,t, we denote U -» the rule applied at step i with the substitution o~i 
and suppose that D is not well-formed. Let us (pre-)order derivations in Q(E, t) 
with a measure M such that M(D') for a derivation D' is a multiset of integers 
constructed as follows: starting with M(D') = 0, for all steps k, 1 < k < n, for 
all terms u G lkO~k obtained by former increasing rule, add k to M(D'). Since 
this pre-order is well-founded, there exists a derivation d G f2(E,t) such that 
M(d) is minimum and trace(d) = trace(-D). Let us prove that d is well-formed. 
By contradiction, assume that d is not well-formed and let j be the first step in 
d such that lj -» rj is the rule applied with substitution o~j and there is a term 
u G I j \ X obtained by a former increasing rule, let lh -» Th be this rule. Since 
hi -» fh G C' inc and u £ X, Closure can be applied on lh -» rh and lj -» rj 
and the resulting rule can be applied at step j instead of lj -» rj yielding also 
Ej. Let d! be the derivation obtained after this replacement, d! G f2(E,t) and 
trace(d') = trace(ii). Since h < j and by definition of M, we have M(d') < M(d) 
which contradicts the minimality of M(d). We deduce that d is well- formed and 
then we have the lemma. 

□ 



4 Reachability problems 

4.1 Presentation of the algorithm and pre-computation 

This section is devoted to the presentation of an algorithm for solving Reach- 
ability Problems and to a proof scheme of its completeness, correctness and 
termination. In this section, we denote by Iq = (Q,Co,Ti) the initial deduction 
system and by T' = (Q,C, 0} the saturated deduction system. From now, we 
suppose that £' is finite and we recall that £' is partitioned into two disjoint 
sets of deduction rules C' inc and C' dec (by definition of increasing and decreasing 
rules). The algorithm comprises two steps, and is depicted in Fig. 2 



Resolution(C°) 
We let C° = {{Ef 

t> v i)i£{i,...,n}>S ) be an 2"o-constraint system. 

Step 1. Guess a finite variant substitution 6 for all terms of C°, apply 9 
on these terms and normalise them then solve the obtained unification 
system. Finally, apply the obtained solution a on the constraints. In the 
sequel we will abuse notations and denote the obtained constraint system 
C = (Ei D> t ! ) se{ i,...,„ } , where U = (u°0)|a and E % = (-E?0)|a. 
Step 2. Apply non-deterministically the transformation rules of Fig. 3 
Step 3. If a solved form is reached, return Sat, else return Fail. 

Fig. 2. Algorithm for solving constraint systems. 

Remarks. 

Solved form. A constraint system C as denoted at the end of the first step is in 
solved form if for all constraints E D> t G C we have t G X, Every constraint 
system in solved form has at least one solution [6] . 

Computation of the finite variants substitutions. Given C° = ((E® D> 
Vi)i<i<m <5°), and let T be a n-uplct containing terms appearing in C , 
T = (iti, . . . , u n ). Due to the finite variant property, T has finite set of vari- 
ant substitutions. We choose a variant substitution among the possible 
ones. 

Justification of the first step. Let a be a normal solution of the original con- 
straint system. The first step will non-deterministically transform terms of C, 
ui,...,u n , into terms it] 1 , . . . , u° such that, according to definition 3 we will 
have {(ujcr)j = u ? cr '} 1 <j< n f° r a normal substitution a' . It is easily verified 
that the first step always terminates. 

We prove below that there exists a solution to the original X - cons traint 
system C° iff there exists a solution to one of the possible constraint systems 
computed in the first step for the X' deduction system. 

Lemma 4. (Completeness) Let C° be an X^-constraint system. If C° is Xq- 
satisfiable, there exists a constraint system C in the output of Step 1. such that 
C is X' -satis fiable. 

Proof. WehaveC = ((E9\>Vi)i£ii n y,S°). Let a be a substitution in normal 

form such that a |=i C°. This implies that (vfa)i G (E^a)^" for i G {1, . . . , n} 

x' 

and thus, by lemmas 1 and 2, (vfa)i G (Efa)l for i G {1, . . . ,n}. We have 

also (s°a)l = (s'°a)l for all equations s° = s'° G S°. By definition 3, there 
exists a variant substitution 9 of the terms in C° and a substitution a' in normal 
form such that for each term u G C, we have (iter) J. = (u(9)J.cr'. This implies 

that («?0)1V G (^6»)|cr' X for i G {1, . . . , n} and (s°(9)K = (s'°(9)K for all 
equations s° = s'° G S° . The unification system (<S°0)J. has solution (a'), let ^ 



be its most general unifier, we have a' = fia for some substitution a and a \=%' 
(E°6)l(j, O (v°9)ifi for ie{l,...,n}. The constraint system C = (((Ef6)ifj, > 
(f^)|/i)ig{i n }) i s a possible output of Step 1 and it is Z'-satisfiable. □ 

Lemma 5. (Correctness) LetC (resp. C) be aTg- (resp. I 1 -) constraint system. 
Assume that C is obtained from C° by applying Step 1. If C is satisfiable then so 
is C°. 

Proof. Let C° (resp. C) be a 2 - (resp. I'-) constraint system and assume 

that C is obtained from C° by applying Step 1. This implies that C° = ((Ef > 

v?)ie{i,..., n },S°) and C = (((Efe)^ > (vf6)lfx) i&{h ..., n} ) while 9 is a variant 

substitution of the terms of C° and [i is the most general unifier of the unification 

system (S°9)i obtained from 5° by applying the variant substitution 9 on the 

terms of 5° and then normalising these terms. Since C is X'-satisfiablc there exists 

x' 

a normal substitution a such that (v^9)l^ia G (Ef9)lfia and thus (v^9/ia)i G 
(Ef9fia)i X ° (lemmas 1 and 2). We conclude that (6»^ct)| \= Xo C°. □ 

4.2 Transformation in solved form 

Let I 1 = (Q,C , 0) be the deduction system resulting from the application of the 
saturation algorithm. In the rest of this paper, we denote by l x , l\, . . . , l n -» r 
a £'-rule such that l x is a finite set of variables and {7i, . . . , l n } is a finite set 
of non-variable terms. Unless otherwise specified, X 1 is the deduction system 
implicit in all notations. 

In the rest of this section, we prove a progress property: If a satisfiable con- 
straint system is not in solved form, then a rule of Fig. 3 can be applied on it to 
yield another satisfiable constraint system. We will give conditions in the next 
section ensuring the termination of the application of these rules. 



C a ,E>t,Cp ueE \ x t4X, 

Unif : . ^ 

{C a ,Cp)a a = mgu{u,t) 

Reduce 1 : 

C a ,E > t,CfJ L,h, ■ • ■ Jn -» r G C' inc and t£X 

(C a ,(E>y) velx ,C0)<T ei ' • • • ' e " e E \ X and a = mgu({e t = h) r = t) 

Reduce 2 : 

l x ,h, .. . ,l n -» r G £' dec and t £ X 
C a ,E>t,Cp ei,.. .,e n G E \X and a = mguilei = k\ ) 

I J l<i<n 

(C a , (E > y) y ei x , E U r E> C^)ct is obtained from Cp by 

adding r to left hand aide of constraints 



Fig. 3. System of transformation rules. 
The progress proof relies on two normalisation lemmas for constraint systems. 



Lemma 6. Let C = (C a ,E t> t,Cp) be a constraint system such that C a is in 
solved form. Then, for all substitutions a we have: a \= C if and only if a \= 
(C a ,(E\X)>t,Cp) . 

Proof. It suffices to prove that if x £ E n X and a is a substitution such that 
a |= C, then we have a \= (C Q , (E \ {x}) > t, Cp). Given x £ E, by definition 6, 
there exists a set of terms E x C E such that E x > x € C Q . Since cr |= C we have 
cr (= E x > x, and by the fact that E x C E \ {x} we have cr \= E \ {x} > x. Since 
we also have a \= (E [> i) then, cr |= i? \ {x} > t. The reciprocal is obvious since 
£\^C£. □ 

Lemma 7. Let C = (C a ,E t> x,Cp) be a constraint system such that C a is in 
solved form and x Var(C Q , E, Cp) and let C = (C a ,Cp). We have: 

1. If<r\=C then a (= C . 

2. If a' |= C then we can extend a' to a such that a \= C. 

Proof. 1. Let C = (C a ,E t> x,Cp) and let a be a closed substitution such 
that <t |= C. Since x Var(C Q , E, Cp), we deduce that C = (C a ,Cp) is 
deterministic and a \= C . 
2. Let a' be a closed substitution such that a' \= C. Since Var(E) C Var(C Q ), cr' 
is defined on Var(C Q , E, Cp) and since x ^ Var(C a ,Cp), cr'(x) is not defined. 
We extend a' to cr as follows: 

°~(y) = <T '(y) f° r 2/ S Supp(cr'), c(x) is a closed term in E. 
Since x ^ Var(C a ,C^, E) and xcr S E'er, we deduce that a \= C. 

a 

Simplification step. Let C — (C Q , E t> t, Cp) be a constraint system such that C a 
in solved form and t X. If we apply Reduce 1 (resp. Reduce 2) on C using a 
rule l x ,li, . . . ,l n -» r such that there is a variable x £ l x \ Var(7i, . . . , ?*) then 
the constraint E t> x will be in the obtained constraint system C and x does not 
appear twice in C. By lemma 7, this constraint can be deleted from C . As a 
consequence, we apply a simplification step on the saturated deduction system 
C that eliminates variables x 6 l x \ Var(7i, . . . , l n , r) for all rules l Xl li, . . . , ^„ -» 
r e £. 

Each of the rules in Fig. 3 is correct and complete w.r.t. the satisfiability of 
constraint systems. 

Lemma 8. A satisfiable constraint system not in solved form can be reduced 
into another satisfiable constraint system by applying a rule of figure 3. 

Proof. Let C = (Ej > tj)i<j< n be a satisfiable constraint system not in solved 
form and let i be the smallest integer such that i; ^ X. Let C = (C a , E{ t> U,Cp) 
where C a is in solved form. Since C is satisfiable there exists a substitution cr 
such that cr \=z< C. Let us prove that C can be reduced into another satisfiable 
constraint system C by applying transformation rules given in figure 3. By lemma 
6, cr \=ji C implies cr \=x> (C a , Ei \X > ti,Cp) and that, by lemma 3, there is a 
well-formed derivation D starting from (Ei \ X)a of goal tiO. We have two cases: 



— If G (Ei \ X)a then there exists a term u £ Ei\X such that ua = tio. 
Let /i = mgu(ti, u), we have a = [i9 for some substitution 9. C can then be 
reduced to C by applying Unif rule, C = (C a ii,Cpn) and |=x/ C. 

— If ti<j £ (Ei \ X)a, let D : (Ei \ X)a -»...-» Fer, i^cr and for every step in D 
where I -» r is the rule applied with the substitution 7, for every s G l\X, 
we have either S7 G (-E 1 , \ X)a or S7 was constructed by a former decreasing 
rule. 

• Suppose that all applied rules in D are increasing and let I -» r be the 
last applied rule with the substitution 7, this implies that r^j = tia and 
for every s G I \ X, s-f G (Ei \ X)a and then for every s G I \ X there 
exists a term u G Ei \ X such that ,57 = ua. Let /z be the most general 

unifier of |r = ij, (s = u) Vse i\ x ^ ueEi \ x and S7=uo .|, we have a = [i9 and 
7 = /i6> for some 6*. This implies that C can be reduced to C = (C a , (Ei > 
x) x< zi,Cfj)n by applying Reduce 1 and 6> |=j/ C. 

• Suppose that D contains decreasing rules and let j be the first step 
where the applied rule is decreasing. Let I -» r be this rule applied with 
substitution 7. D : (Ei \ X)a = Fqct -» Foa,tia -»...-» Fj-i<j 
Fj-icr,tj<j -»...-» F n -i<j,ticr. Since £> is well-formed, we deduce that 
for every s G I \ X, G (i^ \ A')cr and then, for every s G I \ X there 
exists a term u G Ei \ X such that 57 = ua. Let /z be the most general 
unifier, we have 7 = fi9 and j — fi9 for some substitution 9. This implies 
that C can be reduced to C = (C ai (Ei > (Ei Ur)t> ti,C'g)n by 
applying Reduce 2 and 6* C 

□ 

Lemma 9. Lei C and C be two constraint systems such that C is obtained from 
C by applying a transformation rule. If C is satisfiable then so is C. 

Proof. Let C and C be two constraint systems such that C is obtained from C 
by applying a transformation rule and suppose that C is satisfiable. Let a' be a 
solution of C and let us prove that C is satisfiable. Since a transformation rule 
can be applied on C, C can't be in solved form. Suppose that C = (C a , E \>t, Cp) 
where C a is in solved form and t ^ X. 

— If C is obtained from C by applying Unif rule then, there exists a term 
u G E \ X such that u and t arc unifiable. Let fi be the most general unifier 
then C = (C a [i,Cpn). Since a' \=x> C, we have a' o /i \= X t (Cq,,C^) and by 
the fact that fi is the most general unifier of t and a term in E we have 
°~' t 1 \=T' E > t. We deduce that a' o ^ C. 

— If C is obtained from C by applying Reduce 1 then there exists an in- 
creasing rule l x ,h, ■ ■ ■ ,l n -» r, a set of terms ei,...,e„ in E \ X such 

that |r = t, (7^ = ei)i<.;<„| has solution. Let /i be the most general uni- 
fier. C' = (C a , (E > x) X Qi !cl Cfi)^,. Since a 1 \=%i C and by definition of we 
have a' o ji \= x > C. 



— If C is obtained from C by applying Reduce 2 then there exists a de- 
creasing rule l x ,li, . . . ,l n -» r and a set of terms ei, . . . , e„ in E \ X 



fier. C = (C Q , (£'>x) 2:e i x , (BUr)>t,Ci)//. Since cr' (=i/ C and by definition 
of and constraint systems, we have cr' o ^ \= X i C. 



5 Decidability of reachability problems 

In this section we first prove that if the saturation terminates then ground reach- 
ability problems are decidable. We then give an additional criterion that will 
permit us to lift this result to general reachability problems. 

5.1 Decidability of ground reachability problems 

We recall that To = (Q, Co, 7i) is the initial deduction system and I' = (Q, £ , 0) 
is the saturated deduction system. 

Let us also first recall in the following lemma some properties of reduction 
ordering. 

Lemma 10. Let t±,t2 G T(Q, X) and t\ -<t 2 . We have: 

1. Var(ti) C Var(i 2 ) 

2. h £ SSub(ii) 

3. Ift 2 G X then t x = t 2 
4- Ifti fiX then ti -fi x 

Proof. 1. Let t\ and t 2 be two terms and t\ ~< t 2 . If t\ = t 2 then we have 
obviously Var(ti) = Var^)- Suppose t\ ^ t 2 this implies that t\ -t, t 2 
and let us prove that Var(tx) C V&i(t 2 ). By contradiction, suppose that 
Var(ti) % \ai{t 2 ) and let x € Var(ti) \ Var^)- By definition of -<, we 
have t\<j -< t 2 a for all substitutions cr. Let cr be a substitution such that 
Supp(cr) = {x} and cr(x) — t 2 . This implies that t 2 o = t 2 and t 2 G Sub(iicr) 
which contradicts t\ <t 2 . 
2. If t 2 G SSub(ii) this implies that t\ ^ t 2 and t 2 -< t\ which contradicts 



3. If t 2 = x we deduce that Var(ii) C {x} and x fi SSub(<i). This implies that 
t\ = x. 

4. Suppose that t\ ^ x and t\ ~< x. This implies that Var(ii) C {x} and then, 
either t\ = x or x G SSub(ii). This contradicts the fact that t\ ^ x and 




most general uni- 



□ 



h<t 2 . 



x £ SSub(ti). 



□ 



A core result of this paper is the following lemma. 



Lemma 11. Let I' be a saturated deduction system such that C is finite. Ap- 
plying the transformation algorithm of Fig. 3 on a constraint system C without 
instantiating the variables of C yields only a finite number of different constraint 
systems. 

Proof. Assume the application of rules of Fig. 3 yields an infinite sequence of 
constraint systems Ci, . . . , C„, .... Let us prove there is only a finite number of 
different Ci when identical constraints within a constraint system are identified. 

Let us first prove that there is only a finite number of different left-hand side 
of deduction constraints. The number of different left-hand sides in a constraint 
system does not change (or decrease) when a Unif or ReduceI rule is applied. 
Assume now that a decreasing rule l x , l\, . . . , l n -» r G £ is applied with a 
substitution a on a constraint with left-hand side E. If ra G E, the number of 
different left-hand side does not change. Thus let us assume ra £ E, and thus 
ra £ U{7i<7, . . . , l n a}. Since r is smaller or equal to a term of the left-hand side 
of there rule, we have two case: 

— Either there exists i with ijcr >- ra, and thus there exists e G E such that 
e y ra. 

— Or r G l x \Var(Zi, . . . , l n )- Then the obtained constraint system contains the 
deduction constraints Eor and EU{r} >i and not other constraint contains 
r. By Lemma 6 the obtained constraint system is equivalent to the one in 
which E U {r} > i is replaced by E > t. 

Let us now consider the set T which is the union of all left-hand side of deduction 
constraints reachable from E by employing a decreasing rule. 

— the root is labelled by 0; 

— the sons of the root arc labelled by the terms in a left-hand side E; 

— The sons of the non-root node are defined as follows: assume there exists 
two left-hand sides E' and E" where E 1 is reachable from E, and there 
is a decreasing rule whose application leads to the addition of a deduction 
constraint with left-hand side E" = E" ,t\. Let t<i G E' be the term strictly 
greater than t\. We then set t\ as a son of t^- 

Since t<z y ti there is no cycle, and since we consider sets reachable from E, 
the "is son of" relation is connected. It thus defines a tree. We note that t^ is 
the instance of a non-variable term I in the left-hand side of a decreasing rule. 
There is only a finite number of such terms. Since we consider deductions in 
the empty theory, for each I there is a unique substitution a such that la = t^. 
Given the above properties of reduction ordering we have Var(r) C Var(Z) and 
thus t\ = ra is uniquely determined by the rule applied. Thus, each term ti 
has a finite number of sons t\. Along each branch of the tree a node t is strictly 
smaller than its parent. Since >- is a well-founded ordering, this implies that each 
branch is finite. Thus, by Konig's Lemma, this tree is finite. We conclude that 
T itself is finite. Each left-hand side of a deduction constraint is a subset of T, 
thus there is only a finite number of different left-hand sides. 



When applying Reduce 1 or Reduce 2 on a constraint E > t, the newly 
introduced constraints E > t' are such that t' is a strict subterm of a term in 
E or t. Let E' O t' be a deduction constraint reached from E l> t. Either t' is a 
subterm of t or there exists £"' reachable from E such that f ' is a strict subterm 
of E". Since there is only a finite number of different E", there is thus only a 
finite number of possible right-hand side of constraints. 

In conclusion only a finite number of deduction constraints E' > t' can be 
reached from a deduction constraint i£[>t. Thus only a finite number of constraint 
systems can be reached from a given one by applying rules that do not instantiate 
the variables in the constraint system. □ 

Definition 7. An Tq- ground constraint system C is denoted (Ex\>t\, . . . , E n \>t n ) 
and is defined by a sequence of pairs (Ei, ti)te{i ... n} suc -h that E± (resp. tj) is 
a set of ground terms (resp. ground term) in normal form and Ei C E i+ i for 
i e {1, . . . ,n}. 

We note that an Xo-ground constraint E > t is valid if t £ E T ° . We now 
consider the following problem: 

Xq- Ground Reachability Problem 

Input: An Zo-ground constraint system C. 

Output: Val iff (tj e Ei E °)ie{i,...,n}- 

We recall that t E E X " iff t G E 1 while E (resp. f) is set of closed terms 
(resp. closed term) in normal form (Lemmas 1 and 2). This implies that solv- 
ing Zo-g ro und reachability problem is reduced to solving Z'-ground reachability 
problem. It is then routine to see that a ground constraint system is valid if, 
and only if, it reduces to an empty sequence of deduction constraints. Thus by 
Lemma 11 we have: 

Theorem 1 If the saturation algorithm terminates on Co, the Xq- ground reach- 
ability problem is decidable. 

6 Termination of Saturation does not imply decidability 
of general reachability problems 

It is well-known how to encode 2-stack automata into deduction systems. How- 
ever the saturation will typically not terminate on standard encodings as it will 
amount in this case to the pre-computation of all possible executions of the au- 
tomaton. We can however adapt the construction so that saturation terminates. 
We consider a signature Q such that, for all symbol / <E Go of arity n, there is a 
deduction rule x±, . . . ,x n -» f(xi, . . . , x n ), and the signature Q = Q U {g} with 
g a symbol of arity 1. Let {Q,Qi ,Qf, S, II, A) be a finite 2-stack automaton, 
where Q is the finite set of states of the automaton, Qj and Qf its initial and 
final states, S denotes the alphabet of the words read by the automaton, and 77 



denotes the elements in the stacks of the automaton. We shall encode the empti- 
ness of the language recognised by this automaton into a general reachability 
problem. Let us assume there exists: 

— _L G Go be a constant denoting the empty stack or the empty word; 

— one unary symbol u a for each letter a £ S U iT; 

— one constant q € Q for each state in Q; 

— one symbol s € Q of arity 4 where we intend that: 

• the first argument represents the word that remains to be read by the 
automaton; 

• the second argument represents the current state of the automaton; 

• the third and fourth arguments represent the two stacks of the automa- 
ton. 

— one symbol / of arity 2. 

We represent a transition from a state o\ to a state a-i with a symbol r of arity 
1 and a rewriting rule T(g(f(ai,f(a2,x)))) — > g(f(a2,x)). The rewriting system 
has no critical pairs, and thus is confluent. Since every narrowing step decreases 
strictly the number of "r" symbols in a term, narrowing terminated, and thus 
the equational theory has the finite variant property. At the end of the first 
step of the saturation the system will contain the rules enabling the attacker to 
build sequences of states, and additional rules /(02, 2;))) -» g(f(v2i %)) 

that arc decreasing for any recursive path ordering. Since there is no increasing 
rule with the symbol g in the right-hand side, we leave to the reader the proof 
that saturation terminates, and hence that ground reachability problems are 
decidable. 

However, the instance of x in the following reachability problem encodes a 
word recognised by the automaton after a run encoded by the instance of y: 

> f(s{x, q , -L, _L), y), g(f(s(x, q , _L, _L), y)) > g(s(±, q f , 1, _L)) 

This example proves (with qo £ Qi and g/ G Qf) that the saturation can 
terminate and yield a deduction system for which general reachability problems 
are not decidable. 

The undecidability comes from the fact that one can apply an unbounded 
number of decreasing rules on a non-ground terms, and from the "lack of regu- 
larity" on the terms obtained. 

7 Decidability of general reachability problems 

We recall that the initial intruder system is given by Iq = (Q, £o,H.) while TL is 
generated by a convergent equational theory and has the finite variant property. 
We recall also that I' = (G, 0) is the saturated intruder system. 

We give here a simple criterion that permits to ensure the termination of the 
resolution of a constraint problem with a saturated deduction system. Let T be 
a set of terms, T — {ti, . . . ,t m }, we let A(T) to be the set of strict maximal 
subterms of T and we define: 



S(T) 



+00 if T C X 

\T\X\- |Var(T \ \ (T n Af)| otherwise. 



Now let us define fi(T). We consider the image of the set of terms T by the 
rewriting system U containing rules f(x±, . . . , x n ) — ► x\, . . . , x n for every symbol 
/ in the signature of the deduction system. Wc define: 



fi(T) = min 6{T') 

Ta ->£ T' 
a mgu of subterms of T 



We extend fj, to rules as follows. Let £' be the set of deduction rules. We 
recall that £' is partitioned into two disjoint sets of deduction rules, the set 
of increasing rules C' inc and the set of decreasing rules C' dec . For every rule 

lx{A{l \X U {r})) if I -» r is increasing, 
/i(Z\(7 \ X)) otherwise. 



fj,(l -» r) = 



Definition 8. (Contracting deduction systems) A saturated deduction system 
2' = (Q, £ , 0) is contracting if for all rules I -» r in £' we have [i(l -» r) > 0. 

Lemma 12. Let 5 = {si, . . . , s n } and T = \t\, . . . , t n } 6e two sets of terms and 

let a be the most general unifier ofV= |si = ti, . . . ,s n = Li|- If ^(T) > then 

either |Var(si, . . . , s„)| > |Var((si, . . . , s„, t\, . . . , t n )a)\ or |Var(si, . . . , s„)| = 
|Var((si, . . . , s n , ti, . . . , t n )u) \, S = So and for all x G Var(T) there is i € 
{1, . . . , n} such that o~(x) ^ Sj. 

Proof. Let V = |si = t\, . . . ,s n = t„|. In order to solve V, we apply the 

first step of the unification algorithm of Martelli-Montanari [27]. We reduce V 

f ? ? ? ? 1 

to V = <.xi = uu ■ ■ ■ ) ^fc = Wfc, = Wfe+i, • ■ ■ , i m = u rn > such that for every 

equation x = u G V"', we have either x G Var(S') and u G Sub(T) or x G Var(T) 
and u G Sub(5). We suppose that Xj G Var(T) for j G {1, . . . , fc}. 

— If k = m then we have Xj G Var(T) for j G {l,...,m}. We suppose 
that Xi 7^ Xj for all i,j G {l,...,m} and i ^ j. This implies that 
So = S and Var(T) are instantiated by subterms of 5, that is Var(T)cr are 
smaller or equal than terms in S. We conclude also that |Var(si, . . . , s n )\ = 
[Var((si, ...,s n ,ti,..., t n )a)\. 

— If k ^ m assume {itfc+i, . . . , u m } £ Var(T), we have different cases: 

• If for all different i, j G {1, . . . , m} we have Xi 7^ then to — k variables 
of S 1 , Xfc+i, . . . , x m , are instantiated by subterms of T, Uk+x, ■ . ■ , u m . This 
implies that when we apply a to <S, new variables, Var(itfc+i, . . . , u m ) \ 
{xi, . . . , Xfc} will appear in iSu. There exists a set T" % X such that T — 
T' and T' = {xi, . . . , x^, Ufc+i, . . . , u rn }. Since fi(T) > 0, we have \T' \ 
X\ > \Vai(T'\X) \ (xx,...,x k )\. This implies that |Var(si, . . . , s n )\ > 
|Var((si,...,s„,ti,...,t„)cr)|. 



• If there is different i, j £ {1, . . . , m) such that Xi = x.y. 

* If hj < k then we have to unify two subterms of S. Let U{ and Uj 
be these two subterms and a be their most general unifier. 

Let us apply a on V and to solve V we have to solve Va = 

|siQ! = ti, . . . , s n a = t n \. To solve Va we reduce it to another sys- 
tem V" where equations have the same form as in V . We note that 
|Var(T)| in Va is the same as in V and |Var(5)| is reduced. 
By the same reasoning as above, we deduce that |Var(5)| > 
|Var(Scr, Ta)\. 

* If i, j > k then we have to unify two subterms of T. Let m and 
Uj be these two subterms and a be their most general unifier. 
Let us apply a on V and to solve V we have to solve Va = 
jsi = t\a, ...,s n = t n a^ and to solve Va, we have to reduce it 
to another system V" where equations have the same form as in 
V. V" = jxi = u\, ... , x m = u m | where x\ . . . , Xk 6 Var(Ta) and 

Xk+i, ■ ■ ■ , i m G Var(S'). By definition of [i and by following the same 
reasoning as above, we deduce that: 

■ If k = m and for all different i,j £ {1, . . . ,m} we have Xi ^ Xj, 
we deduce that S — Scr, Var(T)cr arc smaller or equals than 
terms in S and then |Vax(5)| = \Vax(Sa,T<x)\. 

■ If k = m and there is different i, j such that xi = Xj then 
we have to unify two subterms of S and then we conclude that 
|Var(5)| > |Vax(So-,Tcr)|. 

• If k + m we deduce that |Var(5)| > \Vav(Sa,Ta)\. 

a 

The definition of fx is tailored to the proof of the following Lemma. 

Remark. Let T be a set of terms and let 2J(T) = 
{a s.t. a is the most general unifier of some subterms of T}. We remark 
that u(T) is defined with respect to Ta for every a £ S. It will be more naturel 
and more general if u(T) is defined with respect to T instead of some instances 
of T. The so-called general definition will be defined as follow: 

u(T) = min 8{T') 

T T" 
1 1 

Using the general definition of u, we remark that u(T) > docs not im- 
ply u(Ta) > for a set of terms T and a subtitution a £ £(T"). Let 
T = {f(x, x), f(x, y), /(y, x)} and let a be such that a(x) = y. Using the general 
definition of u, we remark that u(T) > and fJ>(Ta) = 0. 

Unfortunately, the lemma 12, used in the proof of termination (lemma 13), 
becomes false with the general definition. 



Lemma 13. Let T' be a saturated contracting deduction system, C be a I' - 
constraint system not in solved form. If a transformation is applied on C to yield 
a constraint system C , then either the substitution applied does not instantiate 
the variables of C and Var(C') C Var(C) or |Var(C')| < |Var(C)|. 

Proof. Let C be a constraint system such that a transformation rule can be 
applied on it. This implies that C is not in solved form. Let C = (C a , E > t,Cp) 
such that C a is in solved form and t ^ X. We have three cases: 

— If wc apply Unif rule on C then there exists a term e G E \ X such that 
e and t are unifiable and a is the most general unifier. C is then reduced 
to C = {C ai Cfj)a. Since we unify two subterms of C in the empty theory, 
either a does not instantiate the variables of C and then C = (C a ,Cp) (which 
implies that Var(C') C Var(C)) or a instantiates the variables of C (and then 
|Var(C')| < |Var(C)|). 

— Assume we apply Reduce 1 on C. By definition of Reduce 1 there exists an 
increasing rule l x , l±, . . . , l n — » r G £ , a set of terms ei, . . . , e„ G E \ X such 

that S = |r = t, (ei = li)i<i<n\ has a solution. Let a be its most general 

unifier. Either o~\y aT rc) = ^°'[ (J |Var(c) = Id] or not. Let us examine the two 
cases. 

°"|Var(C) = Id. In this case, C is reduced to C = (C a , {E > xa) X £i x ,Cp). For 
each li G {l\, . . . , l n } we have, by definition of ct, Z,er = ej. Also, we have 
rcr = i. Thus for each x G Var(Z l5 . . . , l n , r) we have Va,r(xcr) C Var(C). 
Since C Var(ii, . . . , l n , r) we deduce that Var(C') C Var(C). 

cr|Var(C) 7^ Id- In this case C is reduced to C = (C a , (E \> a;) 2;e ; ;E , Cp)a. Since 
the ei and r are not variables, wc can decompose all equations in S 
to obtain a set of equations in which each equation has a member in 
A{1\, . . . ,l n , r). Since the deduction system is contracting Lemma 12 im- 
plies |Var(ei, . . . , e„, t)\ > |Var(ei<T, . . . , e„a, ta, lia, . . . , l n a, ra)\. Since 
l x C Var(Zi, ...,l n ,r) we deduce that |Var(C)| > |Var(C')|. 

— Let us finally assume Reduce 2 is applied. First let us prove we can assume 
l x U Var(r) C Var({ii, . . . ,l n }). Since the rule is decreasing there exists a 
term I G l x U {h, . . . , l n } such that Var(r) C Var(i). Thus it suffices to prove 
l x C Var({ii, . . . , l n }). By definition of the Reduce 2 rule, the constraint 
system C is transformed into 

(C a , (E > y) ye i x \{x},E \>x,EU{x}]> t, C'^a 
= C a a, (Ea > ^jg^^a,].,^ > x, £er U {x} > ta.C'^a 
= C Q cr, (Sct d> y<r) y ei„\{x} , Ea f> x, Ea \> ta,Cf3cr 

= C a a,(Ea t> ya) yelj: \ {x} ,Ea t> ta,C/30- 

where the first = is by Lemma 6, and the second one by Lemma 7. 
Thus the resulting system is equivalent for solutions to one in which 
lx C Var(/i, . . . , l n ). We can then apply the same reasoning as above. 



□ 



We may now conclude by applying the previous results and again Konig's 
Lemma. 



Theorem 2 Let To = (Q,Co,H.) be a deduction system such that the saturation 
of Cq terminates , and the resulting deduction system is contracting. Then the 
To-reachability problem is decidable. 

Proof. It suffices to prove that the application of rules of Fig. 3 terminates. 
Assume there exists an I'-constraint system C and an infinite sequence of trans- 
formations starting from C. Let Cx, . . . ,C n , . . . be the resulting sequence of con- 
straint systems. By Lemma 13, at each step |Var(Cj)| > |Var(Cj+i)| and if there 
is equality, then the substitution applied on Ci is the identity (does not instanti- 
ate the variables of C). Since we must have a positive number of variables, there 
is only a finite number of steps where the substitution is not the identity. Let C n 
be the resulting constraint system. Since all subsequent transformation do not 
instantiate the variables of C n and its successor, the sequence has only a finite 
number of different constraint systems. 

Since £' is finite, each constraint system has only a finite number of succes- 
sors. Thus by Konig Lemma there is only a finite number of different constraint 
systems. □ 



8 Some relevant equational theories 

We give here some examples of well-known equational theories where the satu- 
ration applied on the corresponding initial set of deduction rules terminates. 



TLdv 



8.1 Dolev-Yao theory with explicit destructors 

The Dolev-Yao theory with explicit destructors is the classical Dolev-Yao model 
with explicit destructors such as decryption and projections. This theory is given 
by the following set of equations: 

' Dec s {Enc s {x 7 y),y) = x, 
Enc s (Dec s (x,y),y) = x, 
Dec a (Enc a (x, PK(y)), SK(y)) = x, 
Enc a (Dec a (x, SK(y)), PK(y)) = x, 

ni((x,y)) = x, 
. K2((x,y)) = y. 

By orienting equations of TLdv from left to right, we obtain a rewrite system 
TZ-dv generating TLdv- We remark that TZdv is convergent and TLdv has finite 
variant property 

The initial set of deduction rules is given by the following set of rules: 

x,y -» (x,y), 

X TTi(x), 
X -» TT 2 (x), 

x,y -» Enc a (x,y), 
x,y^> Dec a (x,y), 
x,y -» Enc s (x,y), 
x,y^» Dec s (x,y). 



Co 



The saturatation (modulo the simplification introduced after the lemma 7) 
outputs the following set of deduction rules: 

(x,y) -» x, 
(x,y) -» y, 

Dec a (x,SK(y)),PK(y)-»x, 
£' = £ U{ Enc a (x, PK(y)), SK{y) -» x, 
Des s {x,y),y -» x, 
Enc s (x,y),y -» x, 
[x,PK(y),SK(y)^x. 



8.2 Digital signature theory with duplicate signature key selection 
property 



The theory of digital signature with duplicate signature key selection property 
is defined in [11] and is given by the following set of equations: 

f Ver(x,Sig(x,SK(y)),PK(y)) = 1, 
Udsks = { Ver(x, Sig(x, SK'(y 1} y 2 )), PK'(y 1 ,y 2 j) = 1, 

{ Sig(x, SK'(PK(y),Sig(x, SK(y)))) = Sig{x, SK{y)). 

The equational theory Hdsks is generated by: 

f Ver(x,Sig(x,SK(y)),PK(y)) -> 1, 
_ I Fer(x, Sig(x, SK'( yi ,y 2 )), PK'(y u y 2 )) -» 1, 
DSffS I ^er(x, PK'(PK(y), Sig{x, SK{y)))) - 1, 

[ 5 l5 (x, SK'(PK(y),Sig(x, SK(y)))) - Si^x, 

We remark that IZdsks is convergent and Hdsks has the finite variant 
property. 

The initial set of deduction rules is given by the following set of rules: 

-» Sig(x,y), 
x,y,z -» Ver(x,y,z), 
_ I x,y -» SK'(x,y), 

0-»l. 

The saturatation (modulo the simplification introduced after the lemma 7) 
outputs the following set of deduction rules: 



' x,Sig(x,SK(y)),Pk(y)^ 1, 
x,Sig(x,SK'(y u y 2 )),PK'(y u y 2 ) -» 1, 
x,Sig(x,SK(y)),PK'(PK(y),Sig(x,SK(y))) -» 1, 

SK'(PK{y),Sig(x, SK(y))) -» Si 5 (x, SAty)), 
SA(y),PA(y)^l, 

s# , ( w> i&),Pir , (tfi,!&)-»i, 

x,SK(y),PK'(PK(y),Sig(x,SK(y))) -» 1, 

x, PK{y),Sig{x, SK{y)) -» Sig(x, SK(y)), 

x,PK(y),SK(y) -» Sig(x,SK(y)), 

y 1 ,y 2 ,PK'(y 1 ,y 2 ) -» 1, 

x,yi,y 2 ,Sig(x,SK'(yi,y 2 )) -» 1, 

y 1 ,y 2 ,SK'(y 1 ,y 2 ) -» 1, 

x,PK(y),Sig(x,SK(y))^l, 

x, PK(y),SK(y),Sig( Xl SK(y)) -» 1, 

x,SK(y),PK(y),PK'(PK(y),Sig(x,SK(y))) -» 1, 

x,SK{y),PK(y)^S%g{x,SK(y)). 



9 Decidability of ground reachability problems for the 
blind signature theory 

Blind signature was introduced in [23], it is defined by the signature 5 = 
{«S«<7, yer, £/M, -Pif, iS-ftT} which satisfies the following set of equations: 
f Ver(Sig(x,SK(y)),PK(y))=x, 

W= { Ubl(Bl(x,y),y) = x, 

{ Ubl(Sig(Bl(x,y),SK(z)),y) = Sig(x,SK(z)). 

Let 7?. be the set of rules obtained by orienting equations of 7i from left 
to right, 1Z is convergent and it is obvious that any basic narrowing derivation 
[22] issuing from any of the right hand side term of the rules of TZ terminates. 
This implies that any narrowing derivation (and in particular basic narrowing 
derivation) issuing from any term terminates [22] and thus 7i has finite variant 
property [18]. 

The initial deduction system is given by the tuple 2o = {G,£-o,'H) and we 
have: 




1 : x,y -» Sig{x,y), 

2: x,y -» Ver(x,y), 

3 : x,y -» Bl(x,y), 

4 : x, y -» Ubl(x, y). 



The first step of saturation outputs the following set of deduction rules: 

f 5: Sig(x,SK(y)),PK(y)^x, 
C = £ Q U < 6 : Bl(x, y), y -» x, 

[ 7 : Sig(Bl{x, y), SK(z)),y -» ^ 5 (x, 
We define a new deduction system I = (Q,C,9) and by lemma 1, we have: 
i 6 E " iff £ G E for every set of ground terms E (resp. a ground term t) in 
normal form. From now we remark that the equational theory employed is the 
empty one. 



Now, let us apply the second step of saturation. The closure applied on rules 
1 and 5 outputs the rule 8 : x, SK{y) 1 PK{y) -» x, the closure applied on rules 
3 and 6 outputs the rule 9 : x, y -» x which will be deleted by the simplification 
step introduced above as consequence of lemma 7. The closure applied on rules 
1 and 7 outputs the rule 10 : y, Bl(x,y), SK{z) -» Sig(x,SK(z)). 

We prove in the next lemma that the last rule is redundant when the em- 
ployed equational theory is the empty one. 

Lemma 14. Lei C[ = C U {x, SK(y), PK(y) -» x} U 

{y,BL(x,y),SK(z) -» Sig(x,SK(z))} and let C 2 = £[ \ 
{y, BL(x,y), SK(z) -» Sig(x, SK(z))}. Suppose that the employed equa- 
tional theory is the empty one. For any two sets of ground terms in normal 
form E and F we have: E F iff E -»£/ F. 

Proof. Let E and F be two sets of normal ground terms. The direct implication 
is obvious, let us prove the second one. Suppose that E -^>* r , F and let us prove 
that E -^>* c , F. Suppose that in the /^-derivation D starting from E to F there 

is some steps where the applied rule is in £[ \ C 2 that is, by definition of £[ and 
C 2 , the applied rule is y,Bl(x,y),Sk(z) -» Sig(x, SK(z)). 

Let i be the first step in the derivation where the applied rule is 
y, Bl{x,y)i Sk(z) -» Sig(x, SK(z)), we prove that this step can be replaced 
by other steps where the respectives applied rules are in C 2 . D : E = 
E Q -» . . . -» Ei -»y,Bi(x,y),sk(z)^Sig(x,SK(z)) Ei+i • • • ~» F. There is a ground 
substitution a in normal form such that {ya, Bl(x,y)o-, SK(z)a} C E^ and 
E i+ i = Ei U Sig(xa, SK(z)cr). Thus, the rule Bl(x,y),y -» x G C 2 with the 
substitution a can be applied first on Ei and outputs En = Ei U xa, then the 
rule x, y -» Sig(x, y) G C 2 also with the substitution a can be applied on En and 
outputs En U Sig(xa, SK(za)) = E i+1 . We deduce that each application of the 
rule y, Bl(x, y), Sk(z) -» Sig(x, SK(z)) in D can be replaced by the application 
of two rules in C 2 . We conclude that E -^>* c , F implies E -»►£, F. □ 

Remarks. 

Enforcing the termination of the Saturation. The application of the Sat- 
uration algorithm as is described in section 3 does not terminate. In 
fact, the rule 10 is an increasing one and closure rule can be applied 
on rules 10 and 7. The application of the closure outputs the rule 
11 : y,y',Bl(Bl(x,y),y'),SK(z) -» Sig{x 1 SK{z)) which is increasing. We 
remark that closure rule can be applied on the rules 11 and 7 and this appli- 
cation outputs a new increasing rule. In addition, closure rule can be applied 
again on the new obtained rule and the rule 7. We remark also that each 
such application of closure rule outputs a new increasing rule where the size 
of the terms in the left hand side is increased and closure rule can be applied 
again on this new obtained rule and the rule 7. This implies that we have an 
infinite sequence of application of closure rule. We remark that this infinite 
sequence is due to the presence of the rule 10. 



As a consequence from the previous lemma (where we prove that the rule 
y, Bl(x,y), SK(z) -» Sig(x, SK(z)) is redundant), we can delete this rule 
from the system immediately after its creation. This deletion enforces the 
termination of the Saturation. 
Saturated deduction system. Let X' = (Q, £' , 0} be the saturated deduction 
system, we have: 

J" Sig(x,SK(y)),PK(y)^x, 

^ U ) Sig{Bl{ Xl y), SK(z)), y -» Sig{x, SK(z)), 
[x,SK(y),PK(y)^x. 
In we note that only £o _r ules are increasing and the others are decreasing 
(by definition of increasing and decreasing rules). 

We recall that a derivation D starting from E of goal t is well-formed if for 
all rules I -» r applied with substitution a, for all u G I \ X we have either 
ua G E or ua was constructed by a former decreasing rule. 

In the next lemma, we prove that the system C satisfies the following lemma. 

Lemma 15. Let E (resp. t) be a set of terms (resp. a term) in normal form 
x' 

such that t G E . For all X' -derivations D starting from E of goal t we have 
either D is well-formed or there is another X 1 -derivation D' starting from E of 
goal t such that trace(-D) C trace(-D') and D' is well-formed. 
x' 

Proof. We have t G E implies that the set f2(E,t) of X'-derivations starting 
from E of goal t is not empty. Let D G f2(E,t), D : E = E -» E\ . . . 
E n -i,t, we denote k -» r 4 the rule applied at step i with the substitution 
this rule is well-applied if for all u G U \ X, we have either ua G E or ua was 
obtained by a former decreasing rule, otherwise it is bad-applied. 

Suppose that D is not well-formed then there is at least one step in the 
derivation D where the applied rule is bad-applied. At each such step, one the 
following rule is applied: 

Sig(x,SK(y)),PK(y)^x, 
Bl(x,y),y -» x, 

Sig(Bl(x, y),SK(z)), y - Sig(x, SK(z)), 
We note that the rule x, SK(y), PK(y) -» x can not be applied at such step 
because the rules x -» SK(x) and x -» PK(x) are not in £' . 

Let us prove that each application of the first (resp. the second) rule in D 
such that there is a non variable term in left hand side of the rule where the 
instance is obtained by a former increasing rule can be deleted from D without 
altering trace(J5). Let i be the first step where the first (resp. the second) rule 
is bad applied, that is there is a non variable term in left hand side where 
the instance is obtained by a former increasing rule. There is only one non 
variable term in the left hand side of the first (resp. the second) rule which 
can be obtained by a former increasing rule, this term is Sig(x, SK(y)) (resp. 
Bl(x,y)). Since the instance of this term, Sig(x, SK(y))a (resp. Bl(x 1 y)a), is 
obtained by a former increasing rule this last rule will be x, y — » Sig(x, y) (resp. 
x,y -» Bl(x,y)) and let h (h < i) be the step where this rule is applied. We 



deduce that {xa, SK(ya)} {resp. {xa,ya}) C Eh and then the rule applied 
at step i (which adds xa) does not add a new term and the step i can be 
deleted without modifying in trace(D). Let D' be the obtained derivation, we 
have trace(D)' = trace(D). We deduce that every step in D' where the rule 
Sig{x, SK(y)), PK{y) -» x (resp. the rule Bl(x,y),y -» x) is bad applied can 
be deleted without altering in the trace of D 1 and let d be the obtained derivation. 
We note that every application of the rule Sig{x, SK(y)), PK(y) -» x (resp. the 
rule Bl{x, y),y -» x) in d is a well-application. 

Suppose that d is not well-formed then there is at least one step where the 
rule applied is bad-applied. Let i be the first such step then the rule applied is 
Sig(Bl(x, y),SK(z)), y -» Sig(x, SK(z)) and Sig(Bl(x, y),SK{z))a is obtained 
by a former increasing rule, x, y -» Sig{x,y). Let h, (h <i), be the step where 
this increasing rule is applied. We deduce that {Bl(x, y)a, SK{z)a} C Ey t . If 
xa ^ Ei then the rule applied at step i in d can be replaced first by the ap- 
plication of Bl{x,y),y -» x then the application of x,y -» Sig{x,y). Let d! be 
the obtained derivation, d' : E -»...-» Ei -^Bi(x,y),y-»x Ei,xa -^x,y-»Sig(x,y) 
Ei, xa, Sig(x, SK(z))a -»...-» E n _i, t. By above and since xa Ei we have 
cither Bl(x, y)a G E or Bl(x, y)a is obtained by a former decreasing rule. 

If xa € Ei then the rule applied at step i in d can be replaced by the 
application of x,y — » Sig(x,y). Let d" be the obtained derivation, d" : E —» 
Ei -^ x , y -»sig(x,y) E i, Sig(x, SK{z))a £7 n _i, t. 

This implies that each bad application of the rule Sig{Bl(x, y), SK{z)), y -» 
Sig(x, SK(z)) can be replaced by one (or two) well-applied rules. We deduce that 
if the derivation D is not well-formed there is another well-formed derivation D" 
starting from E of goal t such that trace(D) C trace(D"). □ 

We remark that the above lemma is similar to the lemma 3. 

In order to solve Xo"g roun d reachability problems (definition 7), we apply the 
algorithm defined in section 4. Since the saturation applied on Cq terminates, 
by lemmas (4, 5, 8, 9 and 11) we deduce the following corollary: 

Corollary 1. The Jo-ground reachability problem is decidable. 

10 Decidability of reachability problems for subterm 
convergent theories 

In this section, we give a decidability result for the reachability problems for 
a class of subterm convergent equational theories. We recall that subterm con- 
vergent equational theories have finite variant property [18]. The result of this 
section is entailed by a more general result by Baudet [8], but the proof here in 
this specific case is much shorter. 

We recall that Q is a set of functions symbols and we denote by H a subterm 
convergent equational theory and by 2q = (Q, Co, Ti.) the initial deduction system 
such that Co is the union of functions x\,...,x n — » f(x\,...,x n ) for some 
function symbols / G Q. 



Definition 9. (Subterm convergent theories.) An equational theory Ti is sub- 
term convergent if it is generated by a convergent rewriting system TZ and for 
each rule I — > r G TZ, r is a strict subterm of I. 

In the rest of this section, we give an algorithm to decide the following reach- 
ability problem: 
lo-R-eachability Problem 

Input: An lo-constraint system C. 

Output: Sat iff there exists a substitution a such that a \=x a C. 

We let X' = (Q, £ , 0) to be the saturated deduction system. We suppose that 
r ^ I for all rules I -» r € C that is rules not satisfying this property will be 
deleted. 

In the following lemma we prove that, in the case of subterm convergent 
equational theories and under our assumption on the form of initial deduction 
rules Co, Saturation terminates and the obtained new rules are decreasing. 

Lemma 16. The saturation of Co terminates and for every rule I -» r G C'\Co 
there exists a term s G I such that r is a strict subterm of s. 
Proof. Let l-»re£'\£j and let us prove that this rule satisfies the following 
property: there is a term s G I such that r G SSub(s). By induction on the 
number of saturations needed to obtain a rule I -» r. 

Let us first prove this property is true for rules obtained by the step 1 of 
the saturation. By definition of Ti, by the fact that variants of term are in 
normal form and given the assumption that all original rules are x\, . . . , x n -» 
f(x\, . . . , x n ), this implies: 

(f(xi, . . .,x n )0)[ G SSub(/(xi, . . .,x n )9) 
Thus, there exists i such that: (f( x i> ■ ■ ■ , x n)&)i £ Sub(a;,0) 

If there is equality, the rule is removed (since r ^ / for all rules I -» r). This 
implies that all rules obtained from step 1 of saturation satisfies the property. 
Since Co is finite and since subterm convergent equational theories have finite 
variant property [18], first step of saturation terminates. Since u G SSub(w) 
implies u -<, v, rules obtained by step 1 are decreasing. Let C be the set of rules 
obtained by step 1 and let us prove that rules obtained by closure satisfy the 
property. Let us prove it for the first rule obtained by closure. By definition 
of closure rule and since rules in C \ C are decreasing, the first closure will 
be applied on rules X\ ■ ■ ■ ,x n -» f(x\, . . . , x n ) G Co and f{s\, . . . , s n ), I -» r G 
C\ Co- Again by definition of closure, the obtained rule is si, . . . , s n , I -» r. By 
definition of decreasing rule, there is a term u G {/(si, ■ ■ ■ , s n ), 1} such that r G 
SSub(w), if u = I then the new rule satisfies the property and if u = f{s\, . . . , s n ) 
then there is an integer i such that r G Sub(sj). If r G SSub(si) the obtained rule 
satisfies the property else the rule can not be in C (since rules I -» r with r G / 
are deleted). We conclude that the first rule obtained by closure is decreasing 
and if we apply again closure, it will be applied on a rule in Co and a rule not 
in Co. We conclude that rules obtained by step 2 satisfy the property and are 
decreasing . We conclude also that step 2 terminates. □ 



We recall that increasing rules are of form x%, . . . ,x n -» f(x\, . . . , x n ) for a 
function symbol f £ G (Lemma 16). 

10.1 Decidability result 

We recall that our goal is to solve Xo-reachability problem. 

Algorithm. Let C° = {{E° > w°)i e{ i,...,„},5°). 

Sfep -Z. Guess a finite variant substitution 6 for all terms of C , apply 
on these terms and normalise them then solve the obtained unification 
system. Finally, apply the obtained solution a on the constraints. Let 
C = ((Ei \> £s)ie{i,. ..,„}) be the obtained constraint system. 

We remark that this step terminates and it is also correct (Lemma 5) and 
complete (Lemma 4). Unless otherwise specified, T' is the deduction system 
implicit in all notations in the rest of this section. 

We now introduce the notation >i„ c to denote a deduction constraint that 
has to be solved using only increasing rules. We say a constraint E t> inc t is 
in solved form if t is a variable. The constraint system is in solved form if all 
the deduction constraints are in solved form. The application of a decreasing 
rule I -» r on a constraint E > t is defined as follows, and in accordance with 
Lemma 3: 

— let a be the mgu of the terms in I \ X with a subset F of E \ X 

— if {xi , . . . , Xk } — I (~1 X, replace C Q , E t> t,Cp with: 

(C Q , E [> inc xi,...,E \> inc x k ,EU{r} > t, Cp)a 

Wherc Cp is constructed from Cp by adding r to each left-hand side. This 
last construction aims at preserving the inclusion of knowledge sets. 

Step 2. Iterate until the constraint system is in solved form or un- 
solvable: 

1. Put all tagged deduction constraints E > inc t in solved form; 

2. If all constraints preceding an untagged E t> t are in solved form, 
Apply non-deterministically |Sub(£') \ Var(£')| decreasing rules on 
E. Replace E \> t by the obtained deduction constraints, all tagged 
with inc. 

Let us prove the completeness and termination of Step 2. 

Completeness. The proof of the following lemma is trivial by the form of in- 
creasing rules. 

Lemma 17. If cr \= E >i nc f(ti, ■ ■ ■ ,t n ) then either f(ti, ... : t n )a <E Ea or 
Xi, . . . , x n -» /(xi, . . . , x n ) will be in Cq and for each i £ {1, . . . , n} we have 

C (= E \>inc ti- 



The first part of the iteration consists either in transforming a deduc- 
tion constraint E \>i nc f{t\, . . . ,t n ) into E >i nc ti,...,E t>i nc t n , or in uni- 
fying f(ti,...,t n ) with e £ E. By Lemma 17, given a ground substitution 
er such that a \= E >i„ c /(ti, . . . ,t n ) there exists a sequence of choices re- 
ducing E t>i nc /(ti, . . • ,t n ) to a (possibly empty) set of deduction constraints 
Er\>i nc Ui, . . . ETt>i nc Uk where the u\, . . . , are variables or constants. If there 
is a constant which is not in Et the constraint is not satisfiablc (by definition 
of increasing rules), and the sequence of choices fails. 

Let us now consider the second part of the iteration. 

Lemma 18. Assume a \= E >i nc x with x the first variable in the sequence of 
deduction constraints such that t £ Sub(xa) for some ground term t. Then either 

there exists u £ Sub(-E) such that ug =t or t £ Eg C '" c . 

Proof. Let us assume there does not exist u £ Sub(i?) such that ua = t. 
By minimality of x and the determinacy of constraint systems we have t ^ 
Sub(Var(£Ocr). Since Sub{Ea) = Sub(£)crUSub(Var(£Ocr) we have t t Sub(Ecr) 
and, by hypothesis on x and i, t £ Sub(xcr). Since g \= E \>i nc x consider 
a derivation E\ = Eg -»...-» E n _\ U xa, and let i be minimal such that 
t £ Sub(£"i). The index i exists since t £ Sub(xcr), and is different from 1 
since t ^ Sub(_Bcr). By definition of the increasing rules wc then must have 
Ei = Ei-i,t. □ 

Consider a X'-constraint system C = (C Q ,Ez>t,Cp) satisfied by a substitution 
a and all deduction constraints in C a are in solved form. By Lemmas 3 and 16 
and by the fact that r £ I for all rules I r £ C, all decreasing rules applied 
on Eg yield a term in Sub(-Eer). Thus there are at most |Sub(£') \ V&r(E)\ 
different terms that can be obtained by decreasing rule starting from Eg and 
which are not in Sub(Var(£')cr). Assume a term t is in Sub(Var(S)cr) \ Sub(i?)cr, 
and let x be the first variable (in the ordering of deduction constraints) such 
that t £ Sub^c). By definition of constraint systems there exists a deduction 

constraint E x \>i nc x in C a . Since E x C E, by Lemma 18, we have t £ E x g *" c . 

Again, since E x g C Eg, this implies t £ Eg Cz " c : the decreasing rule was not 
useful, and can be replaced by a sequence of increasing. Thus in Eg at most 
|Sub(i?) \ V&r(E)\ terms are deducible using decreasing rules. Thus, after a right 
choice of at most |Sub(i?) \ Var(i?)| decreasing rules, all terms deducible from 
the obtained knowledge set can be deduced using only increasing rules, hence 
the tagging with inc of the final deduction constraint E U {r\, . . . , r^} >j nc t, 
k = |Sub(JS)\Var(£OI- 

Termination of Step 2. First let us notice that if a unification is chosen, it 
unifies two subterms of the constraint system in the empty theory, and thus 
cither the two terms were already equal or it reduces strictly the number of 
variables in the constraint system. Thus the number of unification choices is 
bounded by the number of variables in the constraint system. Once all unifica- 
tion have been performed, the termination of the first part of the iteration can 



easily be proved by considering the multiset of the right-hand side of the de- 
duction constraints, ordered by the extension to multisets of the (well-founded) 
subterm ordering. The second part of the iteration obviously terminates. Thus 
each iteration terminates. Since each iteration decreases strictly the number of 
non-labelled deduction constraints, Step 2. terminates. 

11 Conclusion 

In [17], H. Comon-Lundh proposes a two-steps strategy for solving general reach- 
ability problems: first, decide ground reachability problems and, second, reduce 
general reachability problems to ground reachability ones, e.g. by providing a 
bound on the size of a minimal solution of a problem. Our results are in this 
line: for contracting deduction systems, general reachability can be reduced to 
ground reachability. We strongly conjecture that it permits one to provide a 
bound on the size of minimal solutions. Also, we leave to the reader the proof of 
the fact that if saturation terminates, the deduction system is local in the sense 
defined in [9], Thus, this paper adds a new criterion to the one already known 
for deciding reachability problems. 

In future works, we will investigate how the construction presented here can 
be extended to equational theories having the finite variant property w.r.t. a 
non-empty equational theory. We will also try to weaken the definition of /i(T) 
for a set of terms T. 
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